Want to stay anonymous online? Don't share files

A SECURITY flaw in the popular Tor online anonymity software could put users who share files online at risk of being identified, according to details recently released by a team of researchers in France.

The open source Tor software, which is free to download, routes traffic through a series of servers, each of which encrypts the data. This is designed to make it difficult for eavesdroppers to identify anyone using the software as they send messages, browse the web or download files.

Tor is thought to be widely used by political dissidents in many countries. In Egypt, usage spiked dramatically during the period preceding the ousting of Hosni Mubarak as president early this year. But activists may be putting themselves at risk when using Tor.

When the software is used in conjunction with the BitTorrent file-sharing system, some of the traffic may not go through the Tor network. Stevens Le Blond and colleagues at the Grenoble and Sophia Antipolis branches of French national research agency INRIA have shown that by comparing the traffic inside and outside the Tor network, it is possible to trace online activity back to the sender.

In a paper presented on 29 March at the Workshop on Large-Scale Exploits and Emergent Threats in Boston, Le Blond and his team describe how they mounted the privacy attack. As they monitored traffic inside and outside the Tor network during a three-week period in 2010, they identified 10,000 internet protocol (IP) addresses being used to send data.

They could then have recorded the browsing histories of people operating from these addresses - although they did not do so. Government agents can often use an IP address as a means of identifying an individual user.

BitTorrent is so widely used that the de-anonymisation risk applied to almost 1 in 10 communication streams carried over Tor. "We found that a significant fraction of all Tor traffic was at risk of being traced," says Le Blond.

Engineers at the Tor Project, the non-profit company that develops the software, noted the flaw last year - when Le Blond's team first identified it, but before they released these details - and warned against sending BitTorrent traffic through the system.

"There are lots of vulnerabilities in Tor, and Tor has always been open about the various vulnerabilities in its system," says Hal Roberts at Harvard University, who studies censorship and privacy technologies. "Tor is far from perfect but better than anything else widely available."

If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.